I strongly disagree that IDS is not effective with spyware. I grant that hids is a good thing. But maybe I'm from the old school of thought, that you can't trust any system to police itself. That system is corruptable, and thus needs outside oversight. Security 101.
That is exemplified by the number of worms that kill AV on their victims, or alter hosts files so they can't get new dats, etc. The victim sits there warm and fuzzy because they paid the 40 dollar Symantec tax, and they're blasting spam to the world, none the wiser. The code to do these things is easil available, and surely will be used by spyware once they feel a hit to their pocketbook. If there's money to be made they'll do it. Network based detection and BLOCKING is the most effective way I've seen to find and deal with spyware in a large network environment. But it's one tool in the toolbox. Once you detect with IDS you have to clean with spybot, adaware, etc. It's critical that both tools stay effective. The BEST way I've seen to deal with spyware IMHO is: (Note: I'm biased, I wrote many of these sigs and run the project that distributes them. Look at them yourself and make your own judgement) Bleedingsnort.com: 1. Run the DNS Blackhole project maintained by David Glosser. This is your first line of defense. If you don't give dns lookups for spyware then you knock out about 80% of the infections and cripple existing installs. 2. Run the Bleeding Snort Malware signatures. These will catch the vast majority of known and unknown spyware. Granted, these do require frequent addition of nes stuff, but there are a few anomaly and behavior based sigs that we catch most every new package that gets any reasonable distribution. This is layer 2, detection. 3. Participate in the Spyware listening Post. This is layer 3, future detection. This is where folks using the dns blackhole above send the hits that might normaly go to spyware firms to our listening servers. We analyze the urls and binaries requested, and write new snort signatures and follow the trails to find new domains. This makes the process a feedback loop that continues to adjust and improve. Check out http://www.bleedingsnort.com for more info on there, and a number of other very interesting tools. I've spoken a few times this summer pitching the process above, and I've gotten back a large number of success stories. And the best part is all of these tools are free. If you can contribute back time or information you discover all the better, but they're here for the long term, and are very effective. Matt On Wed, 2005-10-12 at 22:52 +0100, Omar A. Herrera wrote: > > > -----Original Message----- > > From: vipul kumra [mailto:[EMAIL PROTECTED] > > > > Hi Dhruv, > > > > I agree with what you have said... but then there is > > no 100% fool proof method for detecting anything. As > > far as I've seen iPolicy Networks IDS protection is > > quite strong... :) > > Why use a hammer with a screw? Network based detection is able to deal > pretty well with known network threats, but some sort of malware (including > some Trojans and spyware) are customized or modified and used with specific > targets. You won't detect those with generic signatures or network based > anomaly behavior. > > hIDS/hIPS ar much more effective in detecting and preventing these attacks. > If there is any anomalous activity to be detected or any forbidden action to > be blocked, it will be host based, not network based. To start, there is a > considerable number of ways that these threats can travel through the > network (e.g. web scripts, P2P messaging, email attachments, trojanized > downloaded software)and they might not even used the network to get to their > target (Sharing of USB memory sticks, CDs, DVDs,...) > > Personally I doubt that it is even worth trying to catch this kind of > malware with a network based IDS or IPS. I would rather use the time for > polishing hIPS/personal firewall policies. > > I think this is what Dhruv meant. > > Regards, > > Omar Herrera > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > -- -------------------------------------------- Matthew Jonkman, CISSP Senior Security Engineer Infotex 765-429-0398 Direct Anytime 765-448-6847 Office 866-679-5177 24x7 NOC my.infotex.com www.offsitefilter.com www.bleedingsnort.com -------------------------------------------- NOTICE: The information contained in this email is confidential and intended solely for the intended recipient. Any use, distribution, transmittal or retransmittal of information contained in this email by persons who are not intended recipients may be a violation of law and is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
